Обсуждение: No SPF record for postgresql.org?
I've been tinkering with setting up SPF-based filtering on my mail server, and I was surprised to find out that most of the traffic it would want to throw away is Postgres mailing list messages. Why is it that there's no SPF record for postgresql.org? I realize that there's debate about how useful SPF actually is, but surely that's not a reason not to publish an SPF entry. regards, tom lane
On 16 Oct 2016, at 19:28, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > I've been tinkering with setting up SPF-based filtering on my mail > server, and I was surprised to find out that most of the traffic > it would want to throw away is Postgres mailing list messages. > Why is it that there's no SPF record for postgresql.org? I realize > that there's debate about how useful SPF actually is, but surely > that's not a reason not to publish an SPF entry. As an extra data point, the lack of SPF and DKIM for postgresql.org is a bit of a pain when using @postgresql.org email address too. :( Especially to Yahoo email users. Maybe thankfully, Yahoo might not be a problem for that much longer. ;) + Justin -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi
On Sun, Oct 16, 2016 at 8:29 PM, Justin Clift <justin@postgresql.org> wrote: > On 16 Oct 2016, at 19:28, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> >> I've been tinkering with setting up SPF-based filtering on my mail >> server, and I was surprised to find out that most of the traffic >> it would want to throw away is Postgres mailing list messages. > > As an extra data point, the lack of SPF and DKIM for postgresql.org > is a bit of a pain when using @postgresql.org email address too. :( I understand how SPF affects @postgresql.org addresses but I was under the impression that it was no help for mailing list traffic since it's being relayed so the ip address isn't going to match the records for the sending domain anyways. For relayed traffic you need the verify the DKIM signature (which is why it's important that the list not modify the content). -- greg
On Sun, Oct 16, 2016 at 12:32 PM, Greg Stark <stark@mit.edu> wrote:
On Sun, Oct 16, 2016 at 8:29 PM, Justin Clift <justin@postgresql.org> wrote:
> On 16 Oct 2016, at 19:28, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>
>> I've been tinkering with setting up SPF-based filtering on my mail
>> server, and I was surprised to find out that most of the traffic
>> it would want to throw away is Postgres mailing list messages.
>
> As an extra data point, the lack of SPF and DKIM for postgresql.org
> is a bit of a pain when using @postgresql.org email address too. :(
I understand how SPF affects @postgresql.org addresses but I was under
the impression that it was no help for mailing list traffic since it's
being relayed so the ip address isn't going to match the records for
the sending domain anyways. For relayed traffic you need the verify
the DKIM signature (which is why it's important that the list not
modify the content).
Yes, these are very different problems. DKIM is definitely causing issues with the lists at this point, and we're working on a solution for that.
SPF is a different beast. We have SPF set up for most of our non-postgresql.org domains, but we've been hesitant to touch the actual postgresql.org domain until we have separate out the list namespaces. It *should* be safe, but we just haven't wanted to touch it until we were certain. At least that's my recollection of it, Stefan might have more details.
Greg Stark <stark@mit.edu> writes: > I understand how SPF affects @postgresql.org addresses but I was under > the impression that it was no help for mailing list traffic since it's > being relayed so the ip address isn't going to match the records for > the sending domain anyways. No, I think you're confusing it with DKIM. SPF checks to see whether the sending machine is an authorized IP address for the domain of the envelope FROM address --- which'd be the list itself. For example, the whine I'm getting about this message is Received-SPF: none (sss.pgh.pa.us: domain of postgresql.org does not provide an SPF record) client-ip=217.196.149.56; envelope-from=sss.pgh.pa.us@postgresql.org;helo=malur.postgresql.org; The original sender having been stark@mit.edu doesn't enter into it. regards, tom lane
Magnus Hagander <magnus@hagander.net> writes: > SPF is a different beast. We have SPF set up for most of our > non-postgresql.org domains, but we've been hesitant to touch the actual > postgresql.org domain until we have separate out the list namespaces. It > *should* be safe, but we just haven't wanted to touch it until we were > certain. At least that's my recollection of it, Stefan might have more > details. OK, as long as there's a plan. I'm going to whitelist postgresql.org anyway, so it doesn't matter to me. It just seemed like publishing an SPF entry is an important part of don't-look-like-a-spammer these days. regards, tom lane